This website uses cookies primarily for visitor analytics. Certain pages will ask you to fill in contact details to receive additional information. On these pages you have the option of having the site log your details for future visits. Indicating you want the site to remember your details will place a cookie on your device. To view our full cookie policy, please click here. You can also view it at any time by going to our Contact Us page.

Keeping food cyber-safe

26 August 2015

With the complexity and sophistication of today’s food processing automation and control systems, cyber security is now high on the industrial IT agenda for all manufacturing organisations, and the food and drink industry is as susceptible to cybersecurity threats and attacks as any other industry.

When an industry lives and dies by downtime, any reason for stopping the processing line is costly for a food processor. And when goods are perishable, pressure to get the production line back up and running is even higher. But what can a company do if the fix isn’t simply shutting down the line and installing a spare part?

“Apocalyptic Hollywood productions have been capturing people’s imaginations for decades, but when the credits roll, the fantasy ends and the film is over,” explains Scott Blackwell of Vacon UK. “But this view is dangerously complacent, and more should be done to protect the industry’s automation systems from hackers.”

Cyber security breaches have been on the rise for the last few years, and they’ve caused a reasonable amount of concern. An interesting way to put it into perspective is to visit Norse’s real-time cyber attacks map at map.ipviking.com. The number and frequency of the attacks is astonishing.

“Hundreds of cyber attacks happen around the world every minute, many of them in industry, so it’s more important than ever to have a rugged security system in place within your manufacturing facility,” suggests Amy Wells, Business Development and Marketing Manager of industrial Ethernet specialist Electroustic. “Many companies start out with the best of intentions, but fail to fully implement security systems or staff training procedures. We often see cases where the fear of cyber threats motivates a company to buy highly sophisticated security systems that it then can’t implement – either due to lack of technical knowledge or physical IT resources. Ironically, this often leads to companies becoming more scared of their security system than cyber threats.”

Until as recently as 2010, the general consensus was that cyber threats occurred only in office and administrative environments. “In recent years however, malware such as Stuxnet, Duqu, Night Dragon and Flame has proved that industrial automation environments are becoming a target for persons with nefarious aim, and has also shown that the consequences of these attacks can be devastating,” reveals Blackwell. “Stuxnet in particular proved that production plants aren’t safe from hackers and that those apocalyptic movie scenarios are too close to reality for comfort. As is now widely known, Stuxnet was a malware package that attacked and sabotaged Siemens industrial control systems. Stuxnet only required a USB connection to get onto a plant’s SCADA platform and begin its attack.”

A cyber attack via a SCADA system can lead to the loss, theft or corruption of data that is important, sensitive and valuable. Product tracking information, for example, can be deleted or tampered with, and recipes can be stolen or modified. Food and drinks manufacturers stand to lose millions of pounds – not to mention their reputations – if they fall victim to cyber attacks like these.

“An equally worrying scenario involves tampering with production where the hacker installs malware that makes a manufacturing plant malfunction,” says Blackwell. “At best, this will lead to costly loss of production. At worst, if the problem is not promptly detected, it could lead to potentially harmful products reaching the market. There is also the possibility of damage to the plant itself – destruction of pumps and mixers, for example – leading to extended downtime and high remedial costs.”

Threats to the food industry

IT systems in industry aren’t like computers we use at home. Consumer technology is readily updated and upgraded, while industrial communications systems can remain in place for decades. It’s not uncommon, for example, to see Windows XP in factory applications – an operating system that stopped being sold to OEMs in 2008.

“The problem with these obsolete systems is that vulnerabilities have been known to hackers for years,” explains Wells. “This is just one of the reasons why the number of attacks in industry has risen recently. One of the most common threats, and one that is definitely on the rise, is denial of service (DoS) attacks. A machine or piece of software is immobilised for the duration of the attack, which last minutes or hours and could result in serious costs to a food manufacturer. The best way to mitigate this type of attack is to carefully configure the server and explicitly define what resources an application can use and how it will respond to requests from clients.”

But security incidents are not necessarily caused by external factors. They can also originate from inside the organisation, either deliberately or accidentally. However, regardless of the intent or originator, every food manufacturer has unique assets and exclusive – sometimes top secret – recipes it must protect to remain competitive, and a cyber attack, whether deliberate or not, puts these assets in danger.

Steps to take

“First it’s key to understand your processing facility’s cyber environment so that you can put measures in place to protect your industrial control and automation systems,” says Paul O’Connell from SolutionsPT. “The first step is to conduct a full security risk assessment, with each organisation identifying the unique risks to its own assets, and then put steps in place to mitigate that risk. But it’s important to note that one single action isn’t the answer; there are three key areas where companies can focus their attentions. Firstly, it’s important for food processing companies to work with their own staff to educate them about the ways in which the organisation and they as individuals may be targeted directly or indirectly. Next, companies should examine their processes. Having the correct processes in place to help control the health of an industrial control system is key. For example, your IT department may be perfectly competent at managing the updating of systems within the corporate network, but it requires specialist skill to complete something like an antivirus update within the industrial control system.

“Finally, organisations should complete an audit of their technology to ensure that it is fit for purpose. Technology can help protect engineering and IT from cyber security threats in a number of ways. For example, redesigning and simplifying an industrial control system using thin client technology firewalls and real-time threat monitoring, can vastly reduce the risk of an attack. Preparation is vital and something as simple as the use of a SCADA performance management system can help to detect inappropriate access to the industrial control system before there’s even an issue.”

Blackwell’s advice includes disabling and replacing CD and traditional USB ports with ruggedised industrial memory ports. “This ensures that information cannot leave the company on an external memory device and only authorised hardware can be connected,” he explains. “In addition, a good firewall will stop many cyber attacks in their tracks as well as acting as a strong deterrent. Protecting mobile devices and laptops used by members of staff is, however, as important as installing a firewall.

“In industrial environments, installing a standard antivirus package isn’t enough. Protection specifically designed for industrial applications is needed. This will, for example, enable enterprises to scan executable programs, assessing the security of each application by monitoring its activities when in operation. What’s more, an all-in-one IT security console can help monitor and control all areas of the plant to ensure the integrity of data. With the single management console, plant administrators can install, configure and manage security, access reports and observe suspicious activities at a glance.”

Due to the interconnectedness of the product network, there are worries that applications are susceptible to attack, especially if the system includes remote data access or cloud computing. “In this scenario, we often see companies decide they need to implement a complicated virtual private network (VPN), despite a total lack of IT infrastructure or expertise,” explains Wells. “Raising awareness of these kinds of threats is paramount in making industry safer. Cyber security training should be given at companies from the top down. It might sound silly, but not everyone knows that USB sticks can be a hazard.”

“Unfortunately, as in many other industries, something catastrophic has to happen before some food processors will take preventative action,” says O’Connell. “Many food processing companies don’t regard themselves as a target for hackers. However, according to security experts, hackers are no longer the biggest threat to cyber security. Simple mistakes and poor security best practices are quickly becoming just as dangerous, so food processing companies need to ensure they are protected from the threat within.”

E-mail this page

MOST VIEWED...

Controlling the temperature of food across the whole supply chain is vital to extend shelf life. But how much can be gained by food manufacturers through careful monitoring at all process stages?Full Story...

Over the past 10 years Anheuser-Busch InBev (A-B InBev) has grown its global distribution network using a strategy which goes against the grain for traditional brewery specifications. In place of cost and time intensive permanent structures, it has adopted a design-driven approach in partnership with Herchenbach, a manufacturer of temporary buildings and semi-permanent warehouses. Full Story...